[Fedora-directory-users] RE: some questions on using ssl with fds

Sun Jan 15 19:25:31 UTC 2006

I believe that I'm very close to getting this to work for me.  This is
what I've done:

1. created my own CA certificate by running this openssl req -new -x509
-keyout private/cakey.pem -out cacert.pem

2. using the gui, I followed the steps listed here
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1085091
under Obtaining and Installing server certificates, including the step 4
marked Trust the certificate authority.  Everything to this point looks
great; on each directory server the server certificates look fine
including verifying that my new CA is listed and verified under the CA
certs tab. 

I believe at this point that each directory server will inherently trust
each other's server certificate, as their own certificates were signed
by my own CA.  Is this true?  If so, can someone tell me what the next
step is to enable ssl replication between the 2 directory servers as
well as secure client authentication?  Thanks very much.

Aaron 

-----Original Message-----
From: Bliss, Aaron 
Sent: Friday, January 13, 2006 10:26 PM
To: General discussion list for the Fedora Directory server project.
Subject: some questions on using ssl with fds

These are some basic questions that I'm sure you guys will know how to
answer straight away.  Please forgive my ignorance, as I'm still trying
to understand how ssl works and how to get it to work in fds both for my
directory servers and clients.  First some background information.  I
have 2 directory servers and several client servers.  My goal is to get
the directory servers to replicate using an encrypted link (they are
currently replicating great using standard ldap port.  My second goal is
to have the client servers authenticate to the directory servers using
ssl.  I currently do not have a CA in my organization, and would like to
use self signed keys to achieve goals listed above.  I'm trying to
understand how this is supposed to work; I took a look at the howto
www.redhat.com/docs/manuals/dir-sever/ag/7.1/ssl.html#1087158 and have
just a few questions.  

Correct me if I'm wrong, but the way this will work is that I will first
create a CA cert on directory server A (step 6), generate server
certificate (step 7).  Next step will be to export the CA cert and
import into directory server B.   

1. When creating the server cert at step 6, what are the appropriate
values for the -n and -s switches, assuming that my company is named
company.org.  

2. When creating the server certificate at step 7, what are the
appropriate vaules with the -n, -s and -c switches?

3. What are the switches to use to export the CA certificate using the
certutil as well as the appropriate switches to import this certificate
on another server.  

4. Is it true that after importing the CA cert into directory server B
and generating a server certificate on this server, the 2 directory
servers will inherently trust each other as their server certificates
were generated from the same CA certificate?  If so, I believe that I
will then be able to create a replication link between the 2 directory
servers over a ssl link?

5. How do I configure the client servers to use ldaps?  Do I need to
generate server certificates for each box?  If so, where are these
certificates stored on the client servers.  Thanks very much for your
help with this.

Aaron 

www.preferredcare.org
"An Outstanding Member Experience," Preferred Care HMO Plans -- J. D. Power and Associates

Confidentiality Notice:
The information contained in this electronic message is intended for the exclusive use of the individual or entity named above and may contain privileged or confidential information.  If the reader of this message is not the intended recipient or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that dissemination, distribution or copying of this information is prohibited.  If you have received this communication in error, please notify the sender immediately by telephone and destroy the copies you received.